Conflict in profiles for Bitlocker encryption using configuration profiles

Question

Hello,

I have a configuration profile for bitlocker where I am getting some conflicts. I am wondering how to narrow down the conflicts based on the information that I have.

Here is the conflict for encrypt disk:

And here is the conflict on requires startup auth:

I am wondering if this is a conflict with our default GPO that is being applied to the device or if it is an issue with the device itself.

Here is the GPO:

Here is the configuration policy:

I did not build out these policies, I just get the task of figuring out why they are not working. On the device itself I am getting some bitlocker events, 834 and 813:

BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid.

When I run manage-bde -status on the device I get:

Key Protectors: None Found

Everything in the bios does look correct. UEFI and TPM enabled. I have combed through other posts and articles but have yet to find anything that alines with my issue.

Thanks in advance for any assistance,

Rob

Answer 1

Hi Rob,

==>By device profile report do you mean Device Configuration? If so it does show me that there is a conflict, though it does not show which profiles are in conflict:

Yes, this makes sense. The setting "require device encryption"=disabled in configuration profile labeled "Default-GPO" is in conflict with the setting "encrypt devices"=require in "Default-EndpointProtection-test" configuration profile. Please also check other settings in "Default-GPO" configuration profile.

Thanks for your time. Have a nice day!

Best regards,

Simon

---

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi,

Thank you for posting in Microsoft Q&A forum.

1,==>I am wondering if this is a conflict with our default GPO that is being applied to the device or if it is an issue with the device itself.

The conflict setting status in Intune means the BitLocker policy conflicts with another BitLocker Policy or Security baseline in Intune, it does nothing with GPO here.

We can use below two policy types to configure BitLocker on your managed devices, please check if there is any conflict policy:

Endpoint security disk encryption policy for BitLocker.

Device configuration profile for endpoint protection for BitLocker.

2,Some versions of the security baseline for Microsoft Defender for Endpoint will configure both Compatible TPM startup PIN and Compatible TPM startup key by default. These configurations might block silent enablement of BitLocker. If you deploy this baseline to devices on which you want to silently enable BitLocker, review your baseline configurations for possible conflicts.

In device profiles report, you may see per settings which configuration profiles are in conflicts to solve issue. The most case is when a baseline is different with a device profile for the same setting as example.

For more information, please refer to: Manage BitLocker policy for Windows devices with Intune

Thanks for your time. Have a nice day!

Best regards,

Simon

---

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Conflict error might be revealed also in local event viewer, under Windows node